1 // SPDX-License-Identifier: GPL-2.0+ 2 /* Copyright (c) 2015-2016 Quantenna Communications. All rights reserved. */ 3 4 #include <linux/kernel.h> 5 #include <linux/module.h> 6 #include <linux/slab.h> 7 #include <linux/nospec.h> 8 9 #include "cfg80211.h" 10 #include "core.h" 11 #include "qlink.h" 12 #include "bus.h" 13 #include "trans.h" 14 #include "util.h" 15 #include "event.h" 16 #include "qlink_util.h" 17 18 static int 19 qtnf_event_handle_sta_assoc(struct qtnf_wmac *mac, struct qtnf_vif *vif, 20 const struct qlink_event_sta_assoc *sta_assoc, 21 u16 len) 22 { 23 const u8 *sta_addr; 24 u16 frame_control; 25 struct station_info *sinfo; 26 size_t payload_len; 27 u16 tlv_type; 28 u16 tlv_value_len; 29 const struct qlink_tlv_hdr *tlv; 30 int ret = 0; 31 32 if (unlikely(len < sizeof(*sta_assoc))) { 33 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 34 mac->macid, vif->vifid, len, sizeof(*sta_assoc)); 35 return -EINVAL; 36 } 37 38 if (vif->wdev.iftype != NL80211_IFTYPE_AP) { 39 pr_err("VIF%u.%u: STA_ASSOC event when not in AP mode\n", 40 mac->macid, vif->vifid); 41 return -EPROTO; 42 } 43 44 sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); 45 if (!sinfo) 46 return -ENOMEM; 47 48 sta_addr = sta_assoc->sta_addr; 49 frame_control = le16_to_cpu(sta_assoc->frame_control); 50 51 pr_debug("VIF%u.%u: MAC:%pM FC:%x\n", mac->macid, vif->vifid, sta_addr, 52 frame_control); 53 54 qtnf_sta_list_add(vif, sta_addr); 55 56 sinfo->assoc_req_ies = NULL; 57 sinfo->assoc_req_ies_len = 0; 58 sinfo->generation = vif->generation; 59 60 payload_len = len - sizeof(*sta_assoc); 61 62 qlink_for_each_tlv(tlv, sta_assoc->ies, payload_len) { 63 tlv_type = le16_to_cpu(tlv->type); 64 tlv_value_len = le16_to_cpu(tlv->len); 65 66 if (tlv_type == QTN_TLV_ID_IE_SET) { 67 const struct qlink_tlv_ie_set *ie_set; 68 unsigned int ie_len; 69 70 if (tlv_value_len < 71 (sizeof(*ie_set) - sizeof(ie_set->hdr))) { 72 ret = -EINVAL; 73 goto out; 74 } 75 76 ie_set = (const struct qlink_tlv_ie_set *)tlv; 77 ie_len = tlv_value_len - 78 (sizeof(*ie_set) - sizeof(ie_set->hdr)); 79 80 if (ie_set->type == QLINK_IE_SET_ASSOC_REQ && ie_len) { 81 sinfo->assoc_req_ies = ie_set->ie_data; 82 sinfo->assoc_req_ies_len = ie_len; 83 } 84 } 85 } 86 87 if (!qlink_tlv_parsing_ok(tlv, sta_assoc->ies, payload_len)) { 88 pr_err("Malformed TLV buffer\n"); 89 ret = -EINVAL; 90 goto out; 91 } 92 93 cfg80211_new_sta(vif->netdev, sta_assoc->sta_addr, sinfo, 94 GFP_KERNEL); 95 96 out: 97 kfree(sinfo); 98 return ret; 99 } 100 101 static int 102 qtnf_event_handle_sta_deauth(struct qtnf_wmac *mac, struct qtnf_vif *vif, 103 const struct qlink_event_sta_deauth *sta_deauth, 104 u16 len) 105 { 106 const u8 *sta_addr; 107 u16 reason; 108 109 if (unlikely(len < sizeof(*sta_deauth))) { 110 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 111 mac->macid, vif->vifid, len, 112 sizeof(struct qlink_event_sta_deauth)); 113 return -EINVAL; 114 } 115 116 if (vif->wdev.iftype != NL80211_IFTYPE_AP) { 117 pr_err("VIF%u.%u: STA_DEAUTH event when not in AP mode\n", 118 mac->macid, vif->vifid); 119 return -EPROTO; 120 } 121 122 sta_addr = sta_deauth->sta_addr; 123 reason = le16_to_cpu(sta_deauth->reason); 124 125 pr_debug("VIF%u.%u: MAC:%pM reason:%x\n", mac->macid, vif->vifid, 126 sta_addr, reason); 127 128 if (qtnf_sta_list_del(vif, sta_addr)) 129 cfg80211_del_sta(vif->netdev, sta_deauth->sta_addr, 130 GFP_KERNEL); 131 132 return 0; 133 } 134 135 static int 136 qtnf_event_handle_bss_join(struct qtnf_vif *vif, 137 const struct qlink_event_bss_join *join_info, 138 u16 len) 139 { 140 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 141 enum ieee80211_statuscode status = le16_to_cpu(join_info->status); 142 struct cfg80211_chan_def chandef; 143 struct cfg80211_bss *bss = NULL; 144 u8 *ie = NULL; 145 size_t payload_len; 146 u16 tlv_type; 147 u16 tlv_value_len; 148 const struct qlink_tlv_hdr *tlv; 149 const u8 *rsp_ies = NULL; 150 size_t rsp_ies_len = 0; 151 152 if (unlikely(len < sizeof(*join_info))) { 153 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 154 vif->mac->macid, vif->vifid, len, 155 sizeof(struct qlink_event_bss_join)); 156 return -EINVAL; 157 } 158 159 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) { 160 pr_err("VIF%u.%u: BSS_JOIN event when not in STA mode\n", 161 vif->mac->macid, vif->vifid); 162 return -EPROTO; 163 } 164 165 pr_debug("VIF%u.%u: BSSID:%pM chan:%u status:%u\n", 166 vif->mac->macid, vif->vifid, join_info->bssid, 167 le16_to_cpu(join_info->chan.chan.center_freq), status); 168 169 if (status != WLAN_STATUS_SUCCESS) 170 goto done; 171 172 qlink_chandef_q2cfg(wiphy, &join_info->chan, &chandef); 173 if (!cfg80211_chandef_valid(&chandef)) { 174 pr_warn("MAC%u.%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n", 175 vif->mac->macid, vif->vifid, 176 chandef.chan ? chandef.chan->center_freq : 0, 177 chandef.center_freq1, 178 chandef.center_freq2, 179 chandef.width); 180 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 181 goto done; 182 } 183 184 bss = cfg80211_get_bss(wiphy, chandef.chan, join_info->bssid, 185 NULL, 0, IEEE80211_BSS_TYPE_ESS, 186 IEEE80211_PRIVACY_ANY); 187 if (!bss) { 188 pr_warn("VIF%u.%u: add missing BSS:%pM chan:%u\n", 189 vif->mac->macid, vif->vifid, 190 join_info->bssid, chandef.chan->hw_value); 191 192 if (!vif->wdev.ssid_len) { 193 pr_warn("VIF%u.%u: SSID unknown for BSS:%pM\n", 194 vif->mac->macid, vif->vifid, 195 join_info->bssid); 196 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 197 goto done; 198 } 199 200 ie = kzalloc(2 + vif->wdev.ssid_len, GFP_KERNEL); 201 if (!ie) { 202 pr_warn("VIF%u.%u: IE alloc failed for BSS:%pM\n", 203 vif->mac->macid, vif->vifid, 204 join_info->bssid); 205 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 206 goto done; 207 } 208 209 ie[0] = WLAN_EID_SSID; 210 ie[1] = vif->wdev.ssid_len; 211 memcpy(ie + 2, vif->wdev.ssid, vif->wdev.ssid_len); 212 213 bss = cfg80211_inform_bss(wiphy, chandef.chan, 214 CFG80211_BSS_FTYPE_UNKNOWN, 215 join_info->bssid, 0, 216 WLAN_CAPABILITY_ESS, 100, 217 ie, 2 + vif->wdev.ssid_len, 218 0, GFP_KERNEL); 219 if (!bss) { 220 pr_warn("VIF%u.%u: can't connect to unknown BSS: %pM\n", 221 vif->mac->macid, vif->vifid, 222 join_info->bssid); 223 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 224 goto done; 225 } 226 } 227 228 payload_len = len - sizeof(*join_info); 229 230 qlink_for_each_tlv(tlv, join_info->ies, payload_len) { 231 tlv_type = le16_to_cpu(tlv->type); 232 tlv_value_len = le16_to_cpu(tlv->len); 233 234 if (tlv_type == QTN_TLV_ID_IE_SET) { 235 const struct qlink_tlv_ie_set *ie_set; 236 unsigned int ie_len; 237 238 if (tlv_value_len < 239 (sizeof(*ie_set) - sizeof(ie_set->hdr))) { 240 pr_warn("invalid IE_SET TLV\n"); 241 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 242 goto done; 243 } 244 245 ie_set = (const struct qlink_tlv_ie_set *)tlv; 246 ie_len = tlv_value_len - 247 (sizeof(*ie_set) - sizeof(ie_set->hdr)); 248 249 switch (ie_set->type) { 250 case QLINK_IE_SET_ASSOC_RESP: 251 if (ie_len) { 252 rsp_ies = ie_set->ie_data; 253 rsp_ies_len = ie_len; 254 } 255 break; 256 default: 257 pr_warn("unexpected IE type: %u\n", 258 ie_set->type); 259 break; 260 } 261 } 262 } 263 264 if (!qlink_tlv_parsing_ok(tlv, join_info->ies, payload_len)) 265 pr_warn("Malformed TLV buffer\n"); 266 done: 267 cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, rsp_ies, 268 rsp_ies_len, status, GFP_KERNEL); 269 if (bss) { 270 if (!ether_addr_equal(vif->bssid, join_info->bssid)) 271 ether_addr_copy(vif->bssid, join_info->bssid); 272 cfg80211_put_bss(wiphy, bss); 273 } 274 275 if (status == WLAN_STATUS_SUCCESS) 276 netif_carrier_on(vif->netdev); 277 278 kfree(ie); 279 return 0; 280 } 281 282 static int 283 qtnf_event_handle_bss_leave(struct qtnf_vif *vif, 284 const struct qlink_event_bss_leave *leave_info, 285 u16 len) 286 { 287 if (unlikely(len < sizeof(*leave_info))) { 288 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 289 vif->mac->macid, vif->vifid, len, 290 sizeof(struct qlink_event_bss_leave)); 291 return -EINVAL; 292 } 293 294 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) { 295 pr_err("VIF%u.%u: BSS_LEAVE event when not in STA mode\n", 296 vif->mac->macid, vif->vifid); 297 return -EPROTO; 298 } 299 300 pr_debug("VIF%u.%u: disconnected\n", vif->mac->macid, vif->vifid); 301 302 cfg80211_disconnected(vif->netdev, le16_to_cpu(leave_info->reason), 303 NULL, 0, 0, GFP_KERNEL); 304 netif_carrier_off(vif->netdev); 305 306 return 0; 307 } 308 309 static int 310 qtnf_event_handle_mgmt_received(struct qtnf_vif *vif, 311 const struct qlink_event_rxmgmt *rxmgmt, 312 u16 len) 313 { 314 const size_t min_len = sizeof(*rxmgmt) + 315 sizeof(struct ieee80211_hdr_3addr); 316 const struct ieee80211_hdr_3addr *frame = (void *)rxmgmt->frame_data; 317 const u16 frame_len = len - sizeof(*rxmgmt); 318 enum nl80211_rxmgmt_flags flags = 0; 319 320 if (unlikely(len < min_len)) { 321 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 322 vif->mac->macid, vif->vifid, len, min_len); 323 return -EINVAL; 324 } 325 326 if (le32_to_cpu(rxmgmt->flags) & QLINK_RXMGMT_FLAG_ANSWERED) 327 flags |= NL80211_RXMGMT_FLAG_ANSWERED; 328 329 pr_debug("%s LEN:%u FC:%.4X SA:%pM\n", vif->netdev->name, frame_len, 330 le16_to_cpu(frame->frame_control), frame->addr2); 331 332 cfg80211_rx_mgmt(&vif->wdev, le32_to_cpu(rxmgmt->freq), rxmgmt->sig_dbm, 333 rxmgmt->frame_data, frame_len, flags); 334 335 return 0; 336 } 337 338 static int 339 qtnf_event_handle_scan_results(struct qtnf_vif *vif, 340 const struct qlink_event_scan_result *sr, 341 u16 len) 342 { 343 struct cfg80211_bss *bss; 344 struct ieee80211_channel *channel; 345 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 346 enum cfg80211_bss_frame_type frame_type = CFG80211_BSS_FTYPE_UNKNOWN; 347 size_t payload_len; 348 u16 tlv_type; 349 u16 tlv_value_len; 350 const struct qlink_tlv_hdr *tlv; 351 const u8 *ies = NULL; 352 size_t ies_len = 0; 353 354 if (len < sizeof(*sr)) { 355 pr_err("VIF%u.%u: payload is too short\n", vif->mac->macid, 356 vif->vifid); 357 return -EINVAL; 358 } 359 360 channel = ieee80211_get_channel(wiphy, le16_to_cpu(sr->freq)); 361 if (!channel) { 362 pr_err("VIF%u.%u: channel at %u MHz not found\n", 363 vif->mac->macid, vif->vifid, le16_to_cpu(sr->freq)); 364 return -EINVAL; 365 } 366 367 payload_len = len - sizeof(*sr); 368 369 qlink_for_each_tlv(tlv, sr->payload, payload_len) { 370 tlv_type = le16_to_cpu(tlv->type); 371 tlv_value_len = le16_to_cpu(tlv->len); 372 373 if (tlv_type == QTN_TLV_ID_IE_SET) { 374 const struct qlink_tlv_ie_set *ie_set; 375 unsigned int ie_len; 376 377 if (tlv_value_len < 378 (sizeof(*ie_set) - sizeof(ie_set->hdr))) 379 return -EINVAL; 380 381 ie_set = (const struct qlink_tlv_ie_set *)tlv; 382 ie_len = tlv_value_len - 383 (sizeof(*ie_set) - sizeof(ie_set->hdr)); 384 385 switch (ie_set->type) { 386 case QLINK_IE_SET_BEACON_IES: 387 frame_type = CFG80211_BSS_FTYPE_BEACON; 388 break; 389 case QLINK_IE_SET_PROBE_RESP_IES: 390 frame_type = CFG80211_BSS_FTYPE_PRESP; 391 break; 392 default: 393 frame_type = CFG80211_BSS_FTYPE_UNKNOWN; 394 } 395 396 if (ie_len) { 397 ies = ie_set->ie_data; 398 ies_len = ie_len; 399 } 400 } 401 } 402 403 if (!qlink_tlv_parsing_ok(tlv, sr->payload, payload_len)) 404 return -EINVAL; 405 406 bss = cfg80211_inform_bss(wiphy, channel, frame_type, 407 sr->bssid, get_unaligned_le64(&sr->tsf), 408 le16_to_cpu(sr->capab), 409 le16_to_cpu(sr->bintval), ies, ies_len, 410 DBM_TO_MBM(sr->sig_dbm), GFP_KERNEL); 411 if (!bss) 412 return -ENOMEM; 413 414 cfg80211_put_bss(wiphy, bss); 415 416 return 0; 417 } 418 419 static int 420 qtnf_event_handle_scan_complete(struct qtnf_wmac *mac, 421 const struct qlink_event_scan_complete *status, 422 u16 len) 423 { 424 if (len < sizeof(*status)) { 425 pr_err("MAC%u: payload is too short\n", mac->macid); 426 return -EINVAL; 427 } 428 429 qtnf_scan_done(mac, le32_to_cpu(status->flags) & QLINK_SCAN_ABORTED); 430 431 return 0; 432 } 433 434 static int 435 qtnf_event_handle_freq_change(struct qtnf_wmac *mac, 436 const struct qlink_event_freq_change *data, 437 u16 len) 438 { 439 struct wiphy *wiphy = priv_to_wiphy(mac); 440 struct cfg80211_chan_def chandef; 441 struct qtnf_vif *vif; 442 int i; 443 444 if (len < sizeof(*data)) { 445 pr_err("MAC%u: payload is too short\n", mac->macid); 446 return -EINVAL; 447 } 448 449 if (!wiphy->registered) 450 return 0; 451 452 qlink_chandef_q2cfg(wiphy, &data->chan, &chandef); 453 454 if (!cfg80211_chandef_valid(&chandef)) { 455 pr_err("MAC%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n", 456 mac->macid, chandef.chan->center_freq, 457 chandef.center_freq1, chandef.center_freq2, 458 chandef.width); 459 return -EINVAL; 460 } 461 462 pr_debug("MAC%d: new channel ieee=%u freq1=%u freq2=%u bw=%u\n", 463 mac->macid, chandef.chan->hw_value, chandef.center_freq1, 464 chandef.center_freq2, chandef.width); 465 466 for (i = 0; i < QTNF_MAX_INTF; i++) { 467 vif = &mac->iflist[i]; 468 469 if (vif->wdev.iftype == NL80211_IFTYPE_UNSPECIFIED) 470 continue; 471 472 if (vif->wdev.iftype == NL80211_IFTYPE_STATION && 473 !vif->wdev.current_bss) 474 continue; 475 476 if (!vif->netdev) 477 continue; 478 479 mutex_lock(&vif->wdev.mtx); 480 cfg80211_ch_switch_notify(vif->netdev, &chandef); 481 mutex_unlock(&vif->wdev.mtx); 482 } 483 484 return 0; 485 } 486 487 static int qtnf_event_handle_radar(struct qtnf_vif *vif, 488 const struct qlink_event_radar *ev, 489 u16 len) 490 { 491 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 492 struct cfg80211_chan_def chandef; 493 494 if (len < sizeof(*ev)) { 495 pr_err("MAC%u: payload is too short\n", vif->mac->macid); 496 return -EINVAL; 497 } 498 499 if (!wiphy->registered || !vif->netdev) 500 return 0; 501 502 qlink_chandef_q2cfg(wiphy, &ev->chan, &chandef); 503 504 if (!cfg80211_chandef_valid(&chandef)) { 505 pr_err("MAC%u: bad channel f1=%u f2=%u bw=%u\n", 506 vif->mac->macid, 507 chandef.center_freq1, chandef.center_freq2, 508 chandef.width); 509 return -EINVAL; 510 } 511 512 pr_info("%s: radar event=%u f1=%u f2=%u bw=%u\n", 513 vif->netdev->name, ev->event, 514 chandef.center_freq1, chandef.center_freq2, 515 chandef.width); 516 517 switch (ev->event) { 518 case QLINK_RADAR_DETECTED: 519 cfg80211_radar_event(wiphy, &chandef, GFP_KERNEL); 520 break; 521 case QLINK_RADAR_CAC_FINISHED: 522 if (!vif->wdev.cac_started) 523 break; 524 525 cfg80211_cac_event(vif->netdev, &chandef, 526 NL80211_RADAR_CAC_FINISHED, GFP_KERNEL); 527 break; 528 case QLINK_RADAR_CAC_ABORTED: 529 if (!vif->wdev.cac_started) 530 break; 531 532 cfg80211_cac_event(vif->netdev, &chandef, 533 NL80211_RADAR_CAC_ABORTED, GFP_KERNEL); 534 break; 535 case QLINK_RADAR_CAC_STARTED: 536 if (vif->wdev.cac_started) 537 break; 538 539 if (!wiphy_ext_feature_isset(wiphy, 540 NL80211_EXT_FEATURE_DFS_OFFLOAD)) 541 break; 542 543 cfg80211_cac_event(vif->netdev, &chandef, 544 NL80211_RADAR_CAC_STARTED, GFP_KERNEL); 545 break; 546 default: 547 pr_warn("%s: unhandled radar event %u\n", 548 vif->netdev->name, ev->event); 549 break; 550 } 551 552 return 0; 553 } 554 555 static int 556 qtnf_event_handle_external_auth(struct qtnf_vif *vif, 557 const struct qlink_event_external_auth *ev, 558 u16 len) 559 { 560 struct cfg80211_external_auth_params auth = {0}; 561 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 562 int ret; 563 564 if (len < sizeof(*ev)) { 565 pr_err("MAC%u: payload is too short\n", vif->mac->macid); 566 return -EINVAL; 567 } 568 569 if (!wiphy->registered || !vif->netdev) 570 return 0; 571 572 if (ev->ssid_len) { 573 int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN); 574 575 memcpy(auth.ssid.ssid, ev->ssid, len); 576 auth.ssid.ssid_len = len; 577 } 578 579 auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite); 580 ether_addr_copy(auth.bssid, ev->bssid); 581 auth.action = ev->action; 582 583 pr_debug("%s: external SAE processing: bss=%pM action=%u akm=%u\n", 584 vif->netdev->name, auth.bssid, auth.action, 585 auth.key_mgmt_suite); 586 587 ret = cfg80211_external_auth_request(vif->netdev, &auth, GFP_KERNEL); 588 if (ret) 589 pr_warn("failed to offload external auth request\n"); 590 591 return ret; 592 } 593 594 static int 595 qtnf_event_handle_mic_failure(struct qtnf_vif *vif, 596 const struct qlink_event_mic_failure *mic_ev, 597 u16 len) 598 { 599 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 600 u8 pairwise; 601 602 if (len < sizeof(*mic_ev)) { 603 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 604 vif->mac->macid, vif->vifid, len, 605 sizeof(struct qlink_event_mic_failure)); 606 return -EINVAL; 607 } 608 609 if (!wiphy->registered || !vif->netdev) 610 return 0; 611 612 if (vif->wdev.iftype != NL80211_IFTYPE_STATION) { 613 pr_err("VIF%u.%u: MIC_FAILURE event when not in STA mode\n", 614 vif->mac->macid, vif->vifid); 615 return -EPROTO; 616 } 617 618 pairwise = mic_ev->pairwise ? 619 NL80211_KEYTYPE_PAIRWISE : NL80211_KEYTYPE_GROUP; 620 621 pr_info("%s: MIC error: src=%pM key_index=%u pairwise=%u\n", 622 vif->netdev->name, mic_ev->src, mic_ev->key_index, pairwise); 623 624 cfg80211_michael_mic_failure(vif->netdev, mic_ev->src, pairwise, 625 mic_ev->key_index, NULL, GFP_KERNEL); 626 627 return 0; 628 } 629 630 static int 631 qtnf_event_handle_update_owe(struct qtnf_vif *vif, 632 const struct qlink_event_update_owe *owe_ev, 633 u16 len) 634 { 635 struct wiphy *wiphy = priv_to_wiphy(vif->mac); 636 struct cfg80211_update_owe_info owe_info = {}; 637 const u16 ie_len = len - sizeof(*owe_ev); 638 u8 *ie; 639 640 if (len < sizeof(*owe_ev)) { 641 pr_err("VIF%u.%u: payload is too short (%u < %zu)\n", 642 vif->mac->macid, vif->vifid, len, 643 sizeof(struct qlink_event_update_owe)); 644 return -EINVAL; 645 } 646 647 if (!wiphy->registered || !vif->netdev) 648 return 0; 649 650 if (vif->wdev.iftype != NL80211_IFTYPE_AP) { 651 pr_err("VIF%u.%u: UPDATE_OWE event when not in AP mode\n", 652 vif->mac->macid, vif->vifid); 653 return -EPROTO; 654 } 655 656 ie = kzalloc(ie_len, GFP_KERNEL); 657 if (!ie) 658 return -ENOMEM; 659 660 memcpy(owe_info.peer, owe_ev->peer, ETH_ALEN); 661 memcpy(ie, owe_ev->ies, ie_len); 662 owe_info.ie_len = ie_len; 663 owe_info.ie = ie; 664 665 pr_info("%s: external OWE processing: peer=%pM\n", 666 vif->netdev->name, owe_ev->peer); 667 668 cfg80211_update_owe_info_event(vif->netdev, &owe_info, GFP_KERNEL); 669 kfree(ie); 670 671 return 0; 672 } 673 674 static int qtnf_event_parse(struct qtnf_wmac *mac, 675 const struct sk_buff *event_skb) 676 { 677 const struct qlink_event *event; 678 struct qtnf_vif *vif = NULL; 679 int ret = -1; 680 u16 event_id; 681 u16 event_len; 682 u8 vifid; 683 684 event = (const struct qlink_event *)event_skb->data; 685 event_id = le16_to_cpu(event->event_id); 686 event_len = le16_to_cpu(event->mhdr.len); 687 688 if (event->vifid >= QTNF_MAX_INTF) { 689 pr_err("invalid vif(%u)\n", event->vifid); 690 return -EINVAL; 691 } 692 693 vifid = array_index_nospec(event->vifid, QTNF_MAX_INTF); 694 vif = &mac->iflist[vifid]; 695 696 switch (event_id) { 697 case QLINK_EVENT_STA_ASSOCIATED: 698 ret = qtnf_event_handle_sta_assoc(mac, vif, (const void *)event, 699 event_len); 700 break; 701 case QLINK_EVENT_STA_DEAUTH: 702 ret = qtnf_event_handle_sta_deauth(mac, vif, 703 (const void *)event, 704 event_len); 705 break; 706 case QLINK_EVENT_MGMT_RECEIVED: 707 ret = qtnf_event_handle_mgmt_received(vif, (const void *)event, 708 event_len); 709 break; 710 case QLINK_EVENT_SCAN_RESULTS: 711 ret = qtnf_event_handle_scan_results(vif, (const void *)event, 712 event_len); 713 break; 714 case QLINK_EVENT_SCAN_COMPLETE: 715 ret = qtnf_event_handle_scan_complete(mac, (const void *)event, 716 event_len); 717 break; 718 case QLINK_EVENT_BSS_JOIN: 719 ret = qtnf_event_handle_bss_join(vif, (const void *)event, 720 event_len); 721 break; 722 case QLINK_EVENT_BSS_LEAVE: 723 ret = qtnf_event_handle_bss_leave(vif, (const void *)event, 724 event_len); 725 break; 726 case QLINK_EVENT_FREQ_CHANGE: 727 ret = qtnf_event_handle_freq_change(mac, (const void *)event, 728 event_len); 729 break; 730 case QLINK_EVENT_RADAR: 731 ret = qtnf_event_handle_radar(vif, (const void *)event, 732 event_len); 733 break; 734 case QLINK_EVENT_EXTERNAL_AUTH: 735 ret = qtnf_event_handle_external_auth(vif, (const void *)event, 736 event_len); 737 break; 738 case QLINK_EVENT_MIC_FAILURE: 739 ret = qtnf_event_handle_mic_failure(vif, (const void *)event, 740 event_len); 741 break; 742 case QLINK_EVENT_UPDATE_OWE: 743 ret = qtnf_event_handle_update_owe(vif, (const void *)event, 744 event_len); 745 break; 746 default: 747 pr_warn("unknown event type: %x\n", event_id); 748 break; 749 } 750 751 return ret; 752 } 753 754 static int qtnf_event_process_skb(struct qtnf_bus *bus, 755 const struct sk_buff *skb) 756 { 757 const struct qlink_event *event; 758 struct qtnf_wmac *mac; 759 int res; 760 761 if (unlikely(!skb || skb->len < sizeof(*event))) { 762 pr_err("invalid event buffer\n"); 763 return -EINVAL; 764 } 765 766 event = (struct qlink_event *)skb->data; 767 768 mac = qtnf_core_get_mac(bus, event->macid); 769 770 pr_debug("new event id:%x len:%u mac:%u vif:%u\n", 771 le16_to_cpu(event->event_id), le16_to_cpu(event->mhdr.len), 772 event->macid, event->vifid); 773 774 if (unlikely(!mac)) 775 return -ENXIO; 776 777 rtnl_lock(); 778 res = qtnf_event_parse(mac, skb); 779 rtnl_unlock(); 780 781 return res; 782 } 783 784 void qtnf_event_work_handler(struct work_struct *work) 785 { 786 struct qtnf_bus *bus = container_of(work, struct qtnf_bus, event_work); 787 struct sk_buff_head *event_queue = &bus->trans.event_queue; 788 struct sk_buff *current_event_skb = skb_dequeue(event_queue); 789 790 while (current_event_skb) { 791 qtnf_event_process_skb(bus, current_event_skb); 792 dev_kfree_skb_any(current_event_skb); 793 current_event_skb = skb_dequeue(event_queue); 794 } 795 } 796